[Unit]
Description=Kubernetes API Server
Documentation=https://github.com/kubernetes/kubernetes
After=network.target

[Service]
ExecStart={{ k8s_bin_path }}/kube-apiserver \
      --v=2  \
      --allow-privileged=true  \
      --bind-address=0.0.0.0  \
      --secure-port=6443  \
      --advertise-address={{ inventory_hostname }} \
      --service-cluster-ip-range={{ k8s_cluster_ip_range }}  \
      --service-node-port-range={{ k8s_cluster_port_range }}  \
      --etcd-servers={{ groups['etcd'] | map('regex_replace', '^', 'https://') | map('regex_replace', '$', ':2379') | join(',') }} \
      --etcd-cafile={{ k8s_cert_path }}/etcd-ca.pem  \
      --etcd-certfile={{ k8s_cert_path }}/etcd.pem  \
      --etcd-keyfile={{ k8s_cert_path }}/etcd-key.pem  \
      --client-ca-file={{ k8s_cert_path }}/ca.pem  \
      --tls-cert-file={{ k8s_cert_path }}/apiserver.pem  \
      --tls-private-key-file={{ k8s_cert_path }}/apiserver-key.pem  \
      --kubelet-client-certificate={{ k8s_cert_path }}/apiserver.pem  \
      --kubelet-client-key={{ k8s_cert_path }}/apiserver-key.pem  \
      --service-account-key-file={{ k8s_cert_path }}/sa.pub  \
      --service-account-signing-key-file={{ k8s_cert_path }}/sa.key  \
      --service-account-issuer=https://kubernetes.default.svc.cluster.local \
      --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname  \
      --enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota  \
      --authorization-mode=Node,RBAC  \
      --enable-bootstrap-token-auth=true  \
      --requestheader-client-ca-file={{ k8s_cert_path }}/front-proxy-ca.pem  \
      --proxy-client-cert-file={{ k8s_cert_path }}/front-proxy-client.pem  \
      --proxy-client-key-file={{ k8s_cert_path }}/front-proxy-client-key.pem  \
      --requestheader-allowed-names=aggregator  \
      --requestheader-group-headers=X-Remote-Group  \
      --requestheader-extra-headers-prefix=X-Remote-Extra-  \
      --requestheader-username-headers=X-Remote-User \
      --enable-aggregator-routing=true

Restart=on-failure
RestartSec=10s
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target